Kimsuky Deploys HTTPSpy, Expands Arsenal with HelloDoor and VS Code Tunnels

Kimsuky (aka Velvet Chollima) conducted targeted campaigns in Mar–Apr 2026 against South Korean military and corporate targets, using convincing lures (spoofed security software installers and a counterfeit Webex meeting page) to deliver the HTTPSpy RAT and related families (HelloDoor, HttpMalice, AppleSeed). The attacks used staged loaders (MemLoader.dll, encrypted JSE, PowerShell downloaders), persistence via scheduled tasks and VS Code remote tunneling/DWAgent, and novel techniques such as JSONPing and LLM/Rust-developed components; attackers likely used compromised meeting schedules/accounts for selective payload delivery and continued post-exploitation data collection and remote control.